MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91d07db42921a9ffe88f14cc796ae63454267d252acd7a528b6a2e4ec327310d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91d07db42921a9ffe88f14cc796ae63454267d252acd7a528b6a2e4ec327310d
SHA3-384 hash: e26feaf788aaff1ca764d5eda27a82a98193b3c206979ff6ce3a7f281dff86cb8b87c9f15a3821834a1ce196ca8882f5
SHA1 hash: e89fd48882988066bb67e5a55ae1ec54d689dc20
MD5 hash: 23f1cb46f58dadd81788b5c279dc997f
humanhash: summer-low-uncle-happy
File name:Charter Details.vbs
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:77'399 bytes
First seen:2021-10-05 13:53:35 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:Pl66nqJJr/nlmmrj/yJR4jr/WnuXqmq4lkonmU4ym4mnui2lJmlrjkRrlkJr/XyZ:OMk
Threatray 1'417 similar samples on MalwareBazaar
TLSH T1367343C90E84CAF026CB9A6F93E96D92683E35FD28FD9CD1C942D162063177C178B54B
Reporter Anonymous
Tags:AsyncRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195092/
Detection(s):
SecuriteInfo.com.W32.HfsVibisi..4437.26060.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/615c5902e3d213d202b78d7f/reports/82d8da43-b460-4db5-89f1-f958882d0ce7/overview
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864844
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Drops script at startup location
Sigma detected: Encoded IEX
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497281 Sample: Charter Details.vbs Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected RUNPE 2->46 48 7 other signatures 2->48 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 54 VBScript performs obfuscated calls to suspicious functions 8->54 56 Suspicious powershell command line found 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 13 powershell.exe 14 19 8->13         started        18 powershell.exe 12 11->18         started        process5 dnsIp6 36 pastetext.net 172.67.214.206, 443, 49784 CLOUDFLARENETUS United States 13->36 32 C:\Users\Public\SysLogin.PS1, ASCII 13->32 dropped 60 Drops VBS files to the startup folder 13->60 20 powershell.exe 16 13->20         started        23 conhost.exe 13->23         started        34 C:\Users\user\AppData\...\SystemLogin.vbs, ASCII 18->34 dropped 62 Writes to foreign memory regions 18->62 64 Injects a PE file into a foreign processes 18->64 25 conhost.exe 18->25         started        27 InstallUtil.exe 18->27         started        file7 signatures8 process9 signatures10 50 Writes to foreign memory regions 20->50 52 Injects a PE file into a foreign processes 20->52 29 InstallUtil.exe 2 2 20->29         started        process11 dnsIp12 38 joelthomas.linkpc.net 194.5.98.184, 49785, 49867, 5900 DANILENKODE Netherlands 29->38 40 192.168.2.1 unknown unknown 29->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91d07db42921a9ffe88f14cc796ae63454267d252acd7a528b6a2e4ec327310d/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 13:54:09 UTC
AV detection:
5 of 45 (11.11%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
12f2e964639c39076f29196264c1dcbd3792eaaaa77aca14986a802a122b341b
AsyncRAT
134970a4894d8c7cfd33a8e26f8d4fe1397cd249d0d864f7e50530c051c1cf8d
AsyncRAT
25e21f55b7fbffe0d90e6845044e3e907964a5c278f29fcd1cf0fff9916a2ac3
AsyncRAT
486b4fcc5a6e4f4e949aa11aa3f2e9d8d2075ac8445617af8c41ab214f6dbfa0
AsyncRAT
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
AsyncRAT
b01e228a3a1eadae8c2a23a315ec1b758672d4847ead57402d6d760377104ee0
AsyncRAT
ca84e70120b5fb479ca54211645ac24d562849107ef0e04df6741c0b88d6d168
AsyncRAT
e94b5bfcea6689274d9bca93a3d77c03ecbf49e2ca1dff4e3fe8baec0f401b3f
AsyncRAT
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42
AsyncRAT
+ 1'407 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/211005-q7kehshhc2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
joelthomas.linkpc.net:5900
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/91d07db42921/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91d07db42921a9ffe88f14cc796ae63454267d252acd7a528b6a2e4ec327310d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/195092/

Comments